Consumers and businesses increasingly rely on computers to store sensitive data. Consequently, malicious programmers seem to continually increase their efforts gain illegitimate control and access to others' computers. Computer programmers with malicious motivations have created and continue to create viruses, Trojan horses, worms, and other programs meant to compromise computer systems and data belonging to other people. These malicious programs are often referred to as malware.
Malware authors may seek to obfuscate their executables in order to evade detection. Malware authors may use binary run-time packers to obfuscate their executables. Since binary run-time packers typically compress, security software may be able to detect them by checking entropy. For example, anti-virus software may detect such malware by determining whether the executables have high entropy.
In an effort to circumvent entropy checks, some malware authors use obfuscators that may act like polymorphic encryptors and do not significantly change the entropy. Malware authors may maintain the entropy of their executables by including sections of random patterns in their executables. Traditional security software may be unable to detect malware that is obfuscated in this manner. What is needed, therefore, is a better way to detect obfuscated executables, particularly when the obfuscated executables are not detectable using an entropy check.